#Privacy: Telecoms group given access to NHS medical records without patient consent

Birmingham and Solihull Mental Health NHS Foundation Trust have been handing over medical data to Telefonica without obtaining the consent of patients. 

According to documents published last month under freedom of information laws, Telefonica, the Spanish group that trades as O2 in the UK, was given free access to a vast amount of medical records from Birmingham and Solihull Mental Health NHS Foundation Trust. 

The data included five years of anonymised records belonging to both former and current patients. Patients’ names and addresses were removed from the database. The document reports that 25,000 people in Birmingham and Solihull experience a mental health crisis every year, thus it can be assumed that the data shared could have been on tens of thousands of patients.

The Times reported that the telecom giant had been given access to the trove of records with the aim of developing an algorithm aimed at predicting when mental health crises might occur. 

This project is currently at its early stages, however an early pilot of the algorithm “saw clinicians provided with a list of 25 patients every two weeks who were predicted to go into crisis over the next 28 days,” explained The Times. 

The next stage will involve plans to incorporate phone data, most from likely an app, to further improve the algorithm, to which the NHS trust explained that patients will have the ability to opt-out. 

In a statement, the Birmingham and Solihull Mental Health NHS Foundation trust said that it was “proud to be at the forefront of promising research”, and that it hopes the algorithm will help those at risk. 

However, concerns have been raised about why consent was not obtained during the first stages of the project. 

Eva Blum-Dumontet from Privacy International said: “yet another example of a private company getting its hands on people’s data using the pretext of doing research to improve a public service.”

“People suffering from mental health are often in vulnerable situations and the very least they should be expecting from the NHS is to be protected and have their fundamental rights respected, not having to pay the price of healthcare with their privacy.”

Sam Smith from MedConfidential commented: “They are proposing to creep on patients for profit, flagging up ‘problems’ to already overstretched mental health services. Telefonica only cares about creating an algorithm it can sell. The NHS cares about the mental health of its patients. There is a discrepancy between those things.”

Telefonica has stated that the healthcare data does not leave the NHS servers and is not used for any other purposes other than the pilot. 

Dr Hilary Grant, executive medical director at Birmingham and Solihull Mental Health NHS Foundation Trust, said: “There is no reason for our patients to be concerned in any way about how their information is being used. Our number one priority remains to protect our current patients and their privacy.”

Steve Wright, CEO, Privacy Culture Ltd told PrivSec: “In my experience, a lot of organisations are still struggling, 20 months after GDPR came into force, to identify the appropriate lawful basis for processing personal  data (Article 6). The trust may have a legitimate purpose for scientific or research purposes, both of which carry legal data protection and burdens, but are legitimate in the interest of public health (e.g. prevention).

“This does raise the question of Transparency (Article 12), because of the principle of being informed, freely given consent and the protection of an individuals rights are all valid. The Trust should (and possibly did) consult with a law firm and have hopefully established a Data Ethics Committee, where such issues can be debated and decisions captured.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/